Re: Cisco prime 2.2.0 "Telnet/SSH : Unreachable"

eyalhezi77 · ‎01-15-2015

Hi,

I've installed the Cisco Prime 2.2.0 OVA (VMware) and ran discovery with a Credential Profile.

some of the device has discovered with complete state and some with Partial Collection Failure state.

when trying to edit the device (under network inventory) and verify credentials i'm getting the above error "Telnet/SSH : Unreachable", but when SSH from the Cisco Prime CLI with the same credentials all works just fine.

%SSH-5-SSH2_SESSION: SSH2 Session request from X.X.X.X (tty = 1) using crypto cipher '', hmac '' Failed

please help...

10x

Eyal

AFROJ AHMAD · ‎01-15-2015

Eyal,

it must be credentials issue only , please make sure the credentials are correct

Thanks-

Afroz

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

eyalhezi77 · ‎01-15-2015

Hi Afroz,

All of my net devices use AAA for login.

I'm using credentials profile to discover my devices and some of them has discovered as they should and some of them are partialy discover with the Cisco Prime log it with CLI/ssh issue.

But when I'm SSH to the partialy discovered device via the Cisco Prime CLI with the same credentials as configured at the credential profile, I'm able to login with no issue.

Please note - while I'm editing the partialy discovered device and testing the credential via the Prime GUI, it display the error message "Telnet/SSH : Unreachable" - and the device log meeage is %SSH-5-SSH2_SESSION: SSH2 Session request from X.X.X.X (tty = 1) using crypto cipher '', hmac '' Failed.

What does it mean?

10x

Eyal

Marvin Rhoads · ‎01-17-2015

For the devices that aren't working do you perchance have a non-default Diffie-Hellman (DH) group set for ssh?

PI only communicates via DH1. Some people using DH14 or other non-default DH groups have reported similar problems.

eyalhezi77 · ‎01-17-2015

how can I check/configure this?

Marvin Rhoads · ‎01-18-2015

Generally it would show up in the device configuration file. Look for an entry like "ip ssh dh min size".

Here is a link to the command reference explaining the options.

eyalhezi77 · ‎01-22-2015

guess i'm running old IOS version

Richard Murphy · ‎01-22-2015

I had a similar issue with PI2.1 not sure if I still have it with PI2.2

The issue turned out to be that the devices PI could not SSH onto where running SSHv1, turned out that some idiot had only configured the SSH crypto key with a 512 bit key so the device would not let me switch to SSHv2.

Marvin Rhoads · ‎01-23-2015

That's an excellent point, Richard.

The bottom line seems to be that PI's programmatic ssh access requires ssh v2 using DH group 1 to work properly.

Erring with either ssh v1 (most likely due to too small a modulus in the crypto key) or a more recent DH group causes it to fail.

percybrathwaite · ‎01-28-2015

It looks like Prime 2.2 maybe trying to use DH group14 and older devices fail.

Jan 26 22:10:54.498 Central: SSH2 10: kex algo not supported: client diffie-hellman-group14-sha1, server diffie-hellman-group1-sha1

Yanco Milanes · ‎04-23-2015

Hi guys,

Its happening to me as well, I recently installed CPI 2.2, I have a population of 3750 on OS 15.0 (2)SE7 working fine, but devices on OS 12... doesn't works, if any work around for this that doesn't include update the switch OS?

From the Prime CLI I can ssh without problem to those devices but I can not import the devices.

" Could not connect to device via CLI (SSH/telnet). Check device credentials and SSH/telnet reachability."

Thanks in advance

Justin Winter · ‎05-01-2018

Has this been resolved? I have the same issue on a few devices and I just can not get this to work. sh ip ssh shows im running 2048 key and sshv2. Everything matches and it refuses to login. I can login using the user/password just fine, but when attempting to use Prime it tells me Telnet/SSH unreachable. When I do a debug ip ssh client it tells me: SSH-3-No_MATCH: no matching cipher found, but those ciphers are there??